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Project  Description 

Create  an  approach  to  graph  the  topological  structure  of  a  domain  name  based 
malware  distribution  network  (MDN)  by  leveraging  search  engine  data  that 
facilitates  the  identification  and  attribution  of  persistent  sub-networks  and  highly 
trafficked  individual  domains 

Expected  Outcomes 

•  Identify  domains’  roles  in  distribution 

•  Identify  key  domains  and  persistent  sub-networks 

•  Determine  MDN  structural  robustness 

•  Perform  trend  analysis  to  predict  future  cyber  attacks 

•  Correlate  data  trends  to  known  offensive/defensive  cyber  events 


Impact  for  the  DoD:  Real  time  tracking  of  MDNs  facilitates  identifying  early 
warning  indicators  of  cyber  events  including  potential  threats  to  DoD  cyber 
assets.  MDN  analysis  allows  attribution  to  geographic  locations  of  key  malicious 
resources. 
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Malware  Distribution  Network  (MDN) 


An  MDN  is  an  active  network  of  interconnected  servers  running  as  a 
backend  to  facilitate  malware  distribution,  malicious  attacks  and  other 
nefarious  acts. 

The  topological  structure  of  an  MDN  is  represented  with  a  directed 
graph.  Each  node  is  a  malicious  domain  and  each  edge  represents  a 
direct  connection  between  2  nodes. 
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Node  Types:  Malware  Host  (MH) 
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Node  Types:  Malware  Host  (MH) 
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Node  Types:  Malware  Host  (MH) 
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Node  Types:  Root  Malware  Host  (RMH) 
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Node  Types:  Root  Malware  Host  (RMH) 
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Node  Types:  Root  Malware  Host  (RMH) 
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Data  Collection 


Bing  Link  From  Domain 
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~42  results  per  domain 
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Data  Collection 


Google  Safe  Browsing  (GSB) 
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-We  collect  3  times  a  day  using  1  Windows  &  5  Linux 
Systems 
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Graph  Creation 


Safe  Browsing  ✓-»  i 

Diagnostic  page  for  overthehedgemovie.com  Advisory  provided  by  ^  ,  O  1  ^  I V. 


What  is  the  current  listing  status  for  overthehedgemovie.com? 

Site  is  listed  as  suspicious  -  visiting  this  web  site  may  harm  your  computer. 

Part  of  this  site  was  listed  for  suspicious  activity  23  time(s)  over  the  past  90  days. 

What  happened  when  Google  visited  this  site? 

Of  the  20  pages  we  tested  on  the  site  over  the  past  90  days,  19  page(s)  resulted  in  malicious  software  being  downloaded  and  installed  without  user 
consent.  The  last  time  Google  visited  this  site  was  on  2013-02-20,  and  the  last  time  suspicious  content  was  found  on  this  site  was  on  2013-02-20. 

Malicious  software  includes  28  trojan(s). 

Malicious  software  is  hosted  on  1  domain(s),  including  hostads.cn/. 

This  site  was  hosted  on  2  network(s)  including  AS22822  (LLNW1.  AS36213  (DWASKGI. 

Has  this  site  acted  as  an  intermediary  resulting  in  further  distribution  of  malware? 

Over  the  past  90  days,  overthehedgemovie.com  appeared  to  function  as  an  intermediary  for  the  infection  of  6  site(s)  including  pebcak.de/,  vaneznal.ru/, 
visuellerorgasmus.de/. 

Has  this  site  hosted  malware? 

Yes,  this  site  has  hosted  malicious  software  over  the  past  90  days.  It  infected  6  domain(s),  including  pebcak.de/.  vaneznal.ru/.  visuellerorqasmus.de/. 

How  did  this  happen? 

In  some  cases,  third  parties  can  add  malicious  code  to  legitimate  sites,  which  would  cause  us  to  show  the  warning  message. 

Next  steps: 

•  Return  to  the  previous  page. 

•  If  you  are  the  owner  of  this  web  site,  you  can  request  a  review  of  your  site  using  Google  Webmaster  Tools.  More  information  about  the  review  process  is 
available  in  Google's  Webmaster  Help  Center. 


Updated  5  hours  ago 
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Findings  -  Domains  and  Connectivity  01 


607  collections  from  Oct  2012  -  Aug  2014 

Average  Graph  has  42,571  nodes,  52,046  edges 

Unique  domain  count  overall:  224,282 
Daily  max:  56,126  min:  27,772 
Per  collection  max:  55,632  min:  21,720 
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Findings  -  Domains  and  Connectivity 

Most  connected  super  nodes  overall: 

1.  vk.com  1389 

2.  bit.ly  570 

3.  amazingonlykeys.com  384 

4.  t.co  356 

5.  reference.com  294 

6.  search. com.vn  289 

Average  number  of  occurrences  of  each  node  type  per 
collection: 

RMH:  8194  MH:  97  Ml:  7556  MH+MI:  5394 
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Findings  -  Domains  and  Connectivity 

Total  unique  top  level  domains:  253 


Top  5  most  occurring  TLDs: 
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Findings  -  Domains  and  Connectivity 

Total  unique  top  level  domains:  253 

Top  5  most  occurring  TLDs: 

5.  de  9,374 
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Findings  -  Domains  and  Connectivity 

Total  unique  top  level  domains:  253 


Top  5  most  occurring  TLDs: 


5.  de  9,374 
4.  org  9,549 
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Findings  -  Domains  and  Connectivity 

Total  unique  top  level  domains:  253 


Top  5  most  occurring  TLDs: 

5.  de  9,374 
4.  org  9,549 
3.  net  13,202 
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Findings  -  Domains  and  Connectivity 

Total  unique  top  level  domains:  253 


Top  5  most  occurring  TLDs: 

5.  de  9,374 
4.  org  9,549 
3.  net  13,202 
2.  ru  17,006 
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Findings  -  Domains  and  Connectivity 

Total  unique  top  level  domains:  253 


Top  5  most  occurring  TLDs: 

5.  de  9,374 
4.  org  9,549 
3.  net  13,202 
2.  ru  17,006 
1.  com  88,552 
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Findings  -  Domains  and  Connectivity 


Total  unique  IP  addresses:  56,339 
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Findings  -  Domains  and  Connectivity 


Total  unique  IP  addresses:  56,339 


Top  5  most  occurring  IP  addresses 

1.  46.*.*.*  89 

2.  213. *.*.*62 

3.  195. *.*.*61 

4.  80.*.*.*  60 

5.  82.*.*.*  57 
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Findings  -  Domains  and  Connectivity 


Unique  gov  domains: 

.gov.*  392 
.gov  30 
.gov.uk  6 
.gov.cn  152 


dot  gov  super  nodes: 

1 .  9  edges  (1  domain) 

2.  8  edges  (2 
domains) 

3.  7  edges  (2 
domains) 

4.  6  edges  (3 
domains) 
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Findings  -  Structural  Robustness 

edges  after  cut  /  total  edges 
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Findings  -  Early  Indicators  of  Cyber  Attacks 


Conclusions 


-  MDNs  serve  as  the  backend  distribution  network  of  malware  and  malicious 
cyber  events 

-  A  graph  can  be  very  large  consisting  mostly  of  RMH  and  Ml 

-  Domains  are  of  all  types  including  .gov 

-  Structural  robustness  in  minimal,  its  rather  easy  to  split  in  subnets 

-  Evidence  suggests  MDNs  can  provide  early  warning  indicators  of  cyber 
events 

Potential  next  steps 

-  Deeper  analysis  of  the  collected  data 

-  Attempt  the  same  analysis  with  other  data  sets 

-  Provide  early  warning  indicators  to  those  interested 

-  We  have  more  detailed  data,  contact  us! 
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